Subscribe to the Non-Human & AI Identity Journal

Why do third-party vendors create a disproportionate cyber risk?

Third-party vendors create disproportionate risk because they extend trust outside the organisation’s direct control. Their access may be broad, persistent, and poorly reviewed, especially when OAuth apps, support accounts, or shared credentials are involved. The key failure is not vendor presence alone, but the lack of lifecycle discipline around that access.

Why This Matters for Security Teams

Third-party vendors become disproportionate cyber risk because they inherit trust without inheriting the organisation’s control plane. A vendor account, OAuth grant, support login, or API key can bypass normal access reviews and remain active long after the business need has changed. That creates a hidden extension of the attack surface, especially when the access is tied to shared credentials or broad service permissions. Current guidance suggests treating vendor access as a lifecycle problem, not a procurement checkbox, as reflected in NIST Cybersecurity Framework 2.0 and in NHIMG’s Ultimate Guide to NHIs — Why NHI Security Matters Now.

The practical risk is not limited to direct compromise. A vendor token can be reused, over-scoped, or chained into other systems, turning one external relationship into many internal paths. NHIMG research shows that 92% of organisations expose NHIs to third parties, which is why vendors so often sit at the centre of incident response and audit findings. In practice, many security teams encounter vendor abuse only after an alert, breach, or audit exception exposes how much standing access had quietly accumulated.

How It Works in Practice

The strongest vendor controls focus on what the vendor can do right now, not what they were allowed to do at onboarding. That means tying each third-party identity to a named business purpose, an owner, a maximum lifespan, and a revocation path. For non-human access, the preferred model is short-lived and task-specific: issue credentials just in time, limit scope to the minimum required action, and revoke them automatically when the task ends. This is a better fit than static role-based access because vendor behaviour is often intermittent, event-driven, and difficult to predict.

In mature environments, the control stack usually includes:

  • workload identity for the vendor integration or service account, rather than a shared human login;
  • policy-as-code that evaluates context at request time, not only at approval time;
  • secret rotation and expiry aligned to the vendor task or contract window;
  • continuous review of OAuth grants, support channels, and API scopes;
  • offboarding steps that revoke credentials, not just disable a portal user.

This approach aligns well with the emerging NHI guidance in OWASP Non-Human Identity Top 10 and with NHIMG’s Top 10 NHI Issues, both of which emphasise lifecycle discipline, least privilege, and visibility. For monitoring and escalation, teams should also anchor vendor event handling to CISA cyber threat advisories so exposure can be mapped to current attack patterns. These controls tend to break down when vendors require broad production access for support, because shared admin workflows make least privilege hard to enforce without redesigning the operating model.

Common Variations and Edge Cases

Tighter vendor access controls often increase onboarding friction and operational overhead, so organisations must balance speed of delivery against the cost of broader trust. That tradeoff is especially visible with SaaS integrations, outsourced support desks, and managed service providers, where the vendor may need delegated access across multiple environments.

There is no universal standard for this yet, but best practice is evolving toward differentiated treatment based on risk. A low-risk analytics vendor should not receive the same access pattern as a payment processor or an incident-response partner. Long-lived integrations may justify standing access in limited cases, but only when paired with strong monitoring, strict segmentation, and frequent recertification. For high-risk access paths, the safer pattern is ephemeral credentials and runtime authorisation, not permanent entitlements.

One common mistake is assuming that contract language alone constrains vendor risk. It does not. Risk is controlled by the actual identity artefacts in use, the secrets storage model, and the revocation process. NHIMG’s Ultimate Guide to NHIs — Key Challenges and Risks is useful here because it frames the operational reality: exposure persists when secrets are not rotated, access is not inventoried, and third parties remain connected after the business need ends. That is why vendor risk often looks manageable on paper but becomes material during incident containment.

Standards & Framework Alignment

This section maps relevant standards and security frameworks to the operational risks and controls described in this guidance.

OWASP Non-Human Identity Top 10 and CSA MAESTRO address the attack and risk surface, while NIST AI RMF set the governance and control requirements practitioners need to meet.

Framework Control / Reference Relevance
OWASP Non-Human Identity Top 10 NHI-03 Vendor access often fails when secrets are not rotated or revoked on time.
CSA MAESTRO MAESTRO addresses governance for third-party and agentic access paths.
NIST AI RMF AI RMF is relevant where vendors provide autonomous or AI-driven services.

Set explicit expiry and rotation rules for every third-party secret and automate revocation at offboarding.

#1 Authority in NHI Education, Research and Advisory, empowering organizations to tackle the critical risks posed by Non-Human Identities (NHIs), including AI Agents.

Get in Touch

Quick Links

Legal & Policies

©2025 NHIMG. All right reserved.